Infosecurity
Raiting:
15

Critical vulnerabilities in the WPA2 protocol - Key Reinstallation Attacks (KRACK)


image

The group of researchers found serious shortcomings in the WPA2 protocol, which provides protection for all modern Wi-Fi networks. An attacker who is in the victim's area can use these shortcomings using Key Reinstallation Attacks. Attackers can use this new attack method to read information that was previously considered to be encrypted.

UPD: the post was updated with partial details of the attack and the list of vendor updates.

The vulnerabilities of WPA2 allow to bypass protection and listen to Wi-Fi traffic transmitted between the access point and the computer. They are assigned the following CVE identifiers:


CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
In a key reinstallation attack, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying cryptographic handshake messages. When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value. Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.
As a Proof-of-Concept video is provided, which shows the attack on a smartphone running Android:

Researchers have created a site, on which in the near future they promise to publish more detailed details of the attack. Also created repository (while empty).

Some manufacturers are already aware of the problem:
US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.
The technical details of the attack are partially disclosed by one of the researchers: papers.mathyvanhoef.com/ccs2017.pdf

Disclosure of information about the attack is planned for today, October 16, 2017. As the information arrives, the post will be updated.

UPD:
<blockquote> The attack works against frequent and corporate Wi-Fi networks, against the outdated WPA and the new WPA2 standard, and even against networks that use only AES. All our attacks directed at WPA2 use innovative key reinstallation techniques, "write the authors of KRACK. <Tgsrbq>
In fact, KRACK allows an attacker to perform a man-in-the-middle attack and force network members to reinstall the encryption keys that protect WPA2 traffic. In addition, if the network is configured to use WPA-TKIP or GCMP, an attacker can not only listen for WPA2 traffic, but also inject packets into victim data.

The KRACK method is universal and works against any devices connected to a Wi-Fi network. That is, in danger, absolutely all users of Android, Linux, iOS, macOS, Windows, OpenBSD, as well as numerous IoT-devices.

According to the researchers, the exploit will not be published until the moment most vendors release the update.

To check the presence / absence of a patch for a particular vendor, you can here , or on the manufacturer's homepage.
Skull 4 november 2017, 11:55
Vote for this post
Bring it to the Main Page
 

Comments

Leave a Reply

B
I
U
S
Help
Avaible tags
  • <b>...</b>highlighting important text on the page in bold
  • <i>..</i>highlighting important text on the page in italic
  • <u>...</u>allocated with tag <u> text shownas underlined
  • <s>...</s>allocated with tag <s> text shown as strikethrough
  • <sup>...</sup>, <sub>...</sub>text in the tag <sup> appears as a superscript, <sub> - subscript
  • <blockquote>...</blockquote>For  highlight citation, use the tag <blockquote>
  • <code lang="lang">...</code>highlighting the program code (supported by bash, cpp, cs, css, xml, html, java, javascript, lisp, lua, php, perl, python, ruby, sql, scala, text)
  • <a href="http://...">...</a>link, specify the desired Internet address in the href attribute
  • <img src="http://..." alt="text" />specify the full path of image in the src attribute